Wednesday, June 29, 2005

"IDS Is Dead" Prophet Misunderstands "Sniffing"

Many of you will remember two years ago quotes by Gartner analyst John Pescatore, such as this in Infoworld:

"We think IDS is dead. It’s failed to provide enterprise value," Pescatore says.

Now this security expert has written more words of wisdom is response to an apparent increase in reconnaissance for port 445 TCP. In More Port 445 Activity Could Mean Security Trouble, Pescatore writes:

"An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability."

Fair enough -- but check out this gem from the next page:

"The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack."

Since when is remote reconnaissance considered "sniffing"? Sniffing is a term reserved for inspecting traffic either on the wire or passed via RF. The word implies having a degree of access to an enterprise completely unrelated to conducting port scans.

Of course, drones at Computerworld repeated the misuse of terms by saying

"An increase in sniffing activity on a communications port associated with a software vulnerability disclosed by Microsoft Corp. this month may be the signal of an impending attack designed to exploit the flaw, according to an alert from Gartner Inc."

Regular blog readers know I am sensitive to the misuse of security terms, since it degrades communication and adds to the general level of confusion. I do not know what motivated an outfit like Gartner to apply "sniffing" to the scanning activity in question.

6 comments:

Keydet89 said...

[i]I do not know what motivated an outfit like Gartner to apply "sniffing" to the scanning activity in question.[/i]

Money? Being the first one to press? I think the more general question of what motivates Gartner (oops, we're back to money again, aren't we?) would be more applicably applied.

I'm with you regarding specificity of language in the security profession. But the media "drones", to coin your term, have already bastardized the use of terms like "virus", "worm", et al, beyond the point of recognition. I guess Gartner's got the "what the heck, why not?" attitude about it all.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

I tend to use the term sniffing more on the network troubleshooting side then on the security side of the house...

can't we all just get along!

Just kidding, but I'm right there with ya Richard.

Rob Dao said...

I know that John knows the difference between sniffing and probing. He probably used terms the general masses would understand.

However, you guys are right. Security vernacular is no longer vernacular. The visibility of our field (security) among lay people and security ignorant IT people is much higher now than previous years. Therefore, a definition of a certain term will slowly be transformed over time to mean something else. Look at term "hacker" for example.

I was on an engagement where an IT professional for a very large govt. agency referred to IDS as a "probe". He asked the question "how many of these probes are you going to install?" This person was a senior engineer with this agency for at least a decade. If this catches on, we may be referring to IDS's as "probes". What a shame.

Stiennon said...

sheesh. How snooty to think that the security practitioners can co-opt terms like "sniffing" (which means to inhale through the nose for the purpose of *smelling*). JP obviously meant that hackers where snooping around looking for vulnerable systems. The context says it all.

and in all fairness you should not tar JP with the "IDS is Dead" brush. Although he was supportive of the concept at the time because he is a great proponent of stopping attacks as opposed to watching them.

http://www.netforensics.com/inthenews_article.asp?id=19

Richard Bejtlich said...

Sheesh -- it's not like I didn't post a follow-up story that shows Mr. Pescatore was the victim of poor editing and that he originally meant to use the term "scanning."

I guess I should not have called Mr. Pescatore the "IDS is dead prophet," since that title might belong to you? :)

"Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled," said Richard Stiennon, research vice president for Gartner. "Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities."

I do not disagree that firewalls have integrated IPS functions by inspecting layer 7 traffic. I think this is a good idea and the natural evolution of the firewall and IPS as access control devices.

The IDS is not an access control device, however. The IDS should be used as a device to detect access control and security policy failures. In its network audit role, it should keep track of what's happening on the network, and provide that evidence once an analyst knows where to look.

Do you think protocol analyzers are "market failures" because they only detect traffic and don't block it? Of course not -- different roles, different utilities.

I've written several books on this subject that I don't want to summarize here. At some point I'll try to write a short article about these ideas, however.

Thanks for stopping by!

Anonymous said...
This comment has been removed by a blog administrator.